Cloudflared systemd service fails to start

Help
1

The the cloudflared systemd service keeps failing:

Jun 19 10:17:49 case systemd[1]: Starting cloudflared-tunnel-bb45604a-1292-447a-a349-d619f43b798.service...
Jun 19 10:17:49 case (udflared)[3432]: cloudflared-tunnel-bb45604a-1292-447a-a349-d619f43b798.service: Failed to set up credentials: Protocol error
Jun 19 10:17:49 case (udflared)[3432]: cloudflared-tunnel-bb45604a-1292-447a-a349-d619f43b798.service: Failed at step CREDENTIALS spawning /nix/store/ii1dwcwwyrppkz61wv3xbrwnzb9x8v34-cloudflared-2025.5.0/bin/cloudflared: Protocol error
Jun 19 10:17:49 case systemd[1]: cloudflared-tunnel-bb45604a-1292-447a-a349-d619f43b798.service: Main process exited, code=exited, status=243/CREDENTIALS
Jun 19 10:17:49 case systemd[1]: cloudflared-tunnel-bb45604a-1292-447a-a349-d619f43b798.service: Failed with result 'exit-code'.
Jun 19 10:17:49 case systemd[1]: Failed to start cloudflared-tunnel-bb45604a-1292-447a-a349-d619f43b798.service.
Jun 19 10:17:49 case systemd[1]: cloudflared-tunnel-bb45604a-1292-447a-a349-d619f43b798.service: Scheduled restart job, restart counter is at 5.
Jun 19 10:17:49 case systemd[1]: cloudflared-tunnel-bb45604a-1292-447a-a349-d619f43b798.service: Start request repeated too quickly.
Jun 19 10:17:49 case systemd[1]: cloudflared-tunnel-bb45604a-1292-447a-a349-d619f43b798.service: Failed with result 'exit-code'.
Jun 19 10:17:49 case systemd[1]: Failed to start cloudflared-tunnel-bb45604a-1292-447a-a349-d619f43b798.service.

My configuration was working until I moved the tunnelId to vars.nix. This is my current cloudflared.nix file:

{
  config,
  pkgs,
  vars,
  ...
}:
{
  services.cloudflared = {
    enable = true;
    tunnels = {
      "${vars.tunnelId}" = {
        credentialsFile = "/home/${vars.username}/.cloudflared/${vars.tunnelId}.json";
        default = "http_status:404";
      };
    };
  };

  environment.systemPackages = with pkgs; [
    cloudflared
  ];
}

All I can think of is that the service cannot access the credentials file, hence “status=243/CREDENTIALS”, but it the same config was working before I moved the tunnelId to vars.nix, so I’m not sure why that would cause it to suddenly fail.

I went back and hardcoded the values, but still the same issue.

2

I was missing a character at the end of the tunnel ID in vars.nix.